(GDPR) — Do You Really Need That Explicit Consent?
(GDPR) — Do You Really Need That Explicit Consent?
Are you worried when you see the word ‘GDPR’?
It’s infuriating, isn’t it?
It’s been 5 months since GDPR.
Wait! If you are new to this whole thing — read our GDPR guidebook for starters.
What has changed? Oh yeah, now we get to experience those beautifully designed cookie banners on almost all the websites under the sun!
Does that mean they are compliant? Hell, no! that’s not the only thing you need to do. However, if you still haven’t got your cookie banner up and running – — try this Wordpress plugin
So, quick question:
Are you GDPR compliant?
I know what you are thinking!
Don’t worry, you’re not alone. . .
According to the research by Datanami, the 14 largest companies in the world are not compliant — including Facebook.
In any case, you need to be compliant irrespective of who else is compliant.
You can get more practical advice here — how to be GDPR compliant
But regarding this article let’s stick to the one topic that has been making all the headlines — ‘Consent, I mean Explicit Consent’.
So, what is ‘Explicit Consent’, in terms of GDPR?
Consent simply means that you need to have the data subject’s permission in order to process their data, and it is one of the methods you can follow to become GDPR compliant!
The concept of ‘Explicit Consent’ is one of the most impactful consequences of the GDPR. And the main reason is that GDPR requires you to obtain ‘a clear affirmative action or a statement’ in an explicit manner from the data subjects.
A data subject is any individual whose personal data is processed by a controller or a processor.
If you are getting overwhelmed by these legal words — read this to get a basic understanding of GDPR terminology.
Becoming GDPR compliant means you need to prove a lawful basis on how you’re dealing with data processing in your organisation.
Explicit Consent has been topping the news all the time and many organisations were/are worried about whether they need to get fresh consent from their prospects and clients.
There’s been a lot of misconceptions about explicit consent and whether it is the only lawful basis and so on. . .
Let’s be honest. GDPR still has a lot of grey areas.
Let’s discuss explicit consent, and what’s the fuss about it:
Do you really need that explicit consent?
No! here’s the thing — consent is just one of the 6 lawful bases to comply with.
According to Art. 6 GDPR, the lawfulness of data processing includes:
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interests
Okay, so what’s the best lawful basis?
No single basis is ’better’ or more important than the others — meaning, you can follow any of them depending on your purpose and relationship with the data subject.
Does it also mean you can follow more than one lawful basis?
Yes, you can — because it’s not like one lawful basis per one organisation.
You don’t have to pick one for your organisation and stick with it. Simply speaking, you shouldn’t go for a one-size-fits-all solution in case of a lawful basis for processing.
Ideally, you should start by identifying each and every data pool that you hold and process — such as existing customers’ data, prospective customers’ data, suppliers’ data, employees’ data, website visitors’ data, and so on so forth. . .
And then you need to carefully decide and apply an appropriate lawful basis for each of those data pools you hold and process.
But the sad thing is — even the biggest companies that we know are not up to the mark with GDPR. Their privacy policies are vague and not transparent enough. We’ll get to some specific examples in a while.
Anyways, back to explicit consent! It’s hard to get explicit consent and maintain it and more importantly prove (make it auditable) it when necessary.
This is where it gets tricky — The Recital 171 of the GDPR goes like this:
“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”.
Put as simply as possible, it means that you can continue to use the consent you have already obtained pre-GDPR if that consent is in line with GDPR standards i.e. unambiguous, demonstrable, and explicit consent. That’s the issue. Most businesses haven’t obtained consents in-line with GDPR before GDPR, simply because they weren’t aware of GDPR.
For example, if your signup form has a pre-ticked box combining consent with a terms & conditions statement, then clearly your consent for this data pool is not in-line with GDPR standards and you can not use it from now on.
So, if that is the case with you, then they are invalid, and you can’t rely on them.
Even if you have carefully unbundled the consent from terms and conditions and have been getting the consent up to GDPR standards, you’ll still need to be able to demonstrate that consent. But pre-GDPR we hadn’t known about the demonstrating factor and did not have a mechanism in place to maintain and demonstrate consent. So, explicit consent is not the appropriate legal basis upon which to process the data under GDPR.
Sounds very complex right? This is why explicit consent is the most discussed topic.
So, what can you do now? What’s the alternative?
Is Legitimate Interests a GDPR gift?
Legitimate interests are simply the benefits you may gain by processing the data; you need to keep in mind that those benefits shouldn’t override the basic rights of the data subject.
Also, if you’ve decided to use legitimate interests as your lawful basis of processing, you need to keep in mind another important aspect in this concept which is laid out in Recital 47. . .
Legitimate interest is the most flexible lawful basis for processing. However, it is necessary to use people’s data only “in the ways that they would reasonably expect you to use [it], and which have a minimal privacy impact, or where there is a compelling justification for processing.”(ICO)
That means you can only use legitimate interests if the data subject can reasonably know what you are going to do with it at the time of providing the data itself.
Let’s take an example to make our lives easier. . .
When you browse Pizza Hut’s website and order something, you obviously leave your personal details. Now, it is perfectly understandable, even for a 6th grader, that Pizza Hut is going to use his details to contact him. That’s in the legitimate interest of Pizza Hut, which is not overridden by basic rights. However, Pizza Hut should not use the same details to send you an SMS every week! Why? Because when you gave your contact details you did not reasonably expect them to send you weekly SMS coupons.
So, if you want to use legitimate interests in any of your data processing activities, you need to do so ideally through a process in which you can assess the situation:
- You need to identify a legitimate interest
- Deduce that processing is necessary to achieve your interests
- Balance it against a data subject’s interests, rights and freedom
That being said, legitimate interests should, in no way, be used as a band-aid to explicit consent.
It is very important to go through the above-mentioned steps and carefully state it in a document called Legitimate Interests Assessment (LIA).
The Data Protection Network has published a detailed explanation of legitimate interests and has provided a template for assessing legitimate interests.
So, what next?
Start by looking at all different kinds of data you collect. Yes, I know it’s a difficult process, but it is inevitable.
You already understand that data plays a huge role in improving your services, marketing and all the other operations. So, if you are significantly dependent on data to make informed decisions, then you should at least start by mapping what kind of data you collect and how you process it.
As soon as you have done the data mapping step, you need to look at every single process to evaluate which data processes fall under legitimate interests, and which processes fall under contractual basis and the others. You need to basically segregate the data pools and decide your legal basis for the processing of each pool.
And that’s not it! You need to be transparent about this whole process, and clearly mention which legal basis you follow for each particular data pool and why.
As we’ve discussed earlier, even the biggest corporations on the planet are not doing it right. Their policies are significantly vague, and they don’t even mention this table of their lawful basis of processing data. How sad!
Some examples of how not to do it and how to do it the right way!
Example #1 — Facebook:
So, let’s take a look at Facebook’s legal basis for processing data:
Yes, that’s it — that’s all they say.
They merely describe the definitions of different lawful bases (as if we don’t know), and they don’t say which of their data processing activities follow which kind of legal basis.
Fine, okay — there seems to be a ‘learn more’ option. Let’s see what it contains:
My goodness, what is that?
Firstly, this information is hidden in some inner pages. And secondly, it’s written in a very sophisticated legal jargon tone, and not in a clear and easily understandable language.
In addition, they have ensured that it is very vague with a considerably disturbing user experience design!
Takeaway: Don’t be a Facebook, when it comes to your GDPR compliance! They can afford to pay fines, but can you?
Example #2 — Google:
Okay what about the godfather, how are they being transparent about ‘their’ way of handling and processing data, let’s check it out:
Well, Google didn’t get it quite right. They tried to do their best but still did not include all of their data processing activities.
Yes, they did not hide it somewhere else and they made it available in an easily understandable language, but they are very vague and did not describe everything that needs to be included.
So, you might be thinking . . . can you give me an example of how to do it considerably well:
Yes, I have another example for you, which I think did really well as far as describing how they handle data processing, and on which basis.
Example #3 — Twitter:
Twitter does an impressive job on this aspect, to be honest, they show a table that contains a lot of the general purposes for which they process personal data from the EU and the primary legal basis they follow.
How cool? The table also contains detailed information on different data processing activities with specific links for additional information.
And if you see they have identified which data processing activity falls under which legal basis. Bravo!
So, have a serious look at this page to get a nice overview of how Twitter’s legal basis for data processing rules.
Example #4 — Amnesty International UK
Amnesty International UK takes a very different and good approach in giving examples of the different legal bases they follow:
How nice is that?
So, let’s wrap up!
On a final note:
Let’s face it.
GDPR is tough to implement but it’s a good business practice with primary emphasis on transparency and accountability principles.
GDPR compliance is not something you can get done with and forget about, but it’s an ongoing process.
That is why you should consider using an all-in-one solution GDPR solution like Ecomply, and make your GDPR compliance journey as smooth as possible.
Going back to the topic — if you were previously in the opinion that explicit consent was the only road that could help you with GDPR compliance, then I’m sure this article has helped you in realising the fact that there are other roads that can help you in this journey.
Legitimate interests are the most flexible lawful basis to process data under GDPR. But it is necessary to carefully document it within your Legitimate Interests Assessment.
Do You Really Need That Explicit Consent?
Let’s break it down into two points as described in SMSwarriors’ GDPR article about ‘Marketing under GDPR and ePrivacy Regulation’:
- If your marketing plan doesn’t use additional data analytics to do profiling, then you can get away with legitimate interests as your lawful basis for processing data under GDPR and a no consent approach or soft opt-in or opt-out procedure as your lawful basis for performing marketing under PECR/e-Privacy Regulation, provided you always give them an option to unsubscribe. Here you must make sure to send only generalised marketing campaigns.
- If your marketing plan uses profiling, segmentation and dynamic content for re-marketing purposes, then you can still get away with legitimate interests as your lawful basis for processing data under GDPR, provided you have clearly set the expectation during the sign-up process and provide a link to a multi-layered privacy notice.
Additionally, you will need consent to serve these cookie and ad analytical tools to be compliant under PECR/ e-Privacy Regulation.
You can start by going through the data mapping process, identifying different data processing activities and deciding on the lawful basis that best fits your organisation.
So, if you’re still looking for a tool to organise your GDPR workflow try our solution.
Disclaimer: While we have checked our sources, it is important for you to seek legal advice related to GDPR compliance. This article does not constitute legal advice. The examples mentioned in this article are just a perspective, and are not meant to defame any esteemed organisations.
Surya Maneesh is the Brand Strategist at SMSwarriors, a smart SMS marketing software that allows marketers and businesses to communicate faster and promote themselves better through SMS. Connect with him on LinkedIn — https://www.linkedin.com/in/suryamaneesh/